Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 719084 (CVE-2020-11939, CVE-2020-11940, CVE-2020-15471, CVE-2020-15472, CVE-2020-15473, CVE-2020-15474, CVE-2020-15475, CVE-2020-15476) - net-libs/nDPI: Multiple vulnerabilities (CVE-2020-{11939,11940,15471,15472,15473,15474,C15475,15476})
Summary: net-libs/nDPI: Multiple vulnerabilities (CVE-2020-{11939,11940,15471,15472,15...
Status: IN_PROGRESS
Alias: CVE-2020-11939, CVE-2020-11940, CVE-2020-15471, CVE-2020-15472, CVE-2020-15473, CVE-2020-15474, CVE-2020-15475, CVE-2020-15476
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~1 [upstream/ebuild masked cve]
Keywords: PMASKED, PullRequest
Depends on: 712058 719112
Blocks:
  Show dependency tree
 
Reported: 2020-04-23 16:39 UTC by Sam James
Modified: 2020-11-05 14:08 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-04-23 16:39:58 UTC
1) CVE-2020-11939

Description:
"In nDPI through 3.2 Stable, the SSH protocol dissector has multiple KEXINIT integer overflows that result in a controlled remote heap overflow in concat_hash_string in ssh.c. Due to the granular nature of the overflow primitive and the ability to control both the contents and layout of the nDPI library's heap memory through remote input, this vulnerability may be abused to achieve full Remote Code Execution against any network inspection stack that is linked against nDPI and uses it to perform network traffic analysis."

Patch: https://github.com/ntop/nDPI/commit/7ce478a58b4dd29a8d1e6f4e9df2f778613d9202
Advisory: https://securitylab.github.com/advisories/GHSL-2020-051_052-ntop-ndpi

2) CVE-2020-11940
	
Description:
"In nDPI through 3.2 Stable, an out-of-bounds read in concat_hash_string in ssh.c can be exploited by a network-positioned attacker that can send malformed SSH protocol messages on a network segment monitored by nDPI's library."

Patch: https://github.com/ntop/nDPI/commit/3bbb0cd3296023f6f922c71d21a1c374d2b0a435
Advisory: https://securitylab.github.com/advisories/GHSL-2020-051_052-ntop-ndpi
Comment 1 Sam James archtester gentoo-dev Security 2020-04-23 17:14:07 UTC
@maintainer(s), please apply the supplied patches
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2020-04-23 18:08:02 UTC
https://github.com/pmacct/pmacct/pull/382#pullrequestreview-391883704
Comment 3 Sam James archtester gentoo-dev Security 2020-05-05 22:40:55 UTC
I've asked for an update on the dependent bugs. It looks like some patches could be applied but there may be complications with the rdeps given they seem fragile.
Comment 4 Larry the Git Cow gentoo-dev 2020-06-12 03:49:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e26047940e7c08a5893799df90228a62b13eac57

commit e26047940e7c08a5893799df90228a62b13eac57
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-06-12 03:48:36 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-06-12 03:49:10 +0000

    profiles/package.mask: mask net-libs/nDPI and friends
    
    Bug: https://bugs.gentoo.org/719084
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 profiles/package.mask | 8 ++++++++
 1 file changed, 8 insertions(+)
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2020-06-17 04:41:12 UTC
(In reply to Larry the Git Cow from comment #4)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=e26047940e7c08a5893799df90228a62b13eac57
> 
> commit e26047940e7c08a5893799df90228a62b13eac57
> Author:     Aaron Bauman <bman@gentoo.org>
> AuthorDate: 2020-06-12 03:48:36 +0000
> Commit:     Aaron Bauman <bman@gentoo.org>
> CommitDate: 2020-06-12 03:49:10 +0000
> 
>     profiles/package.mask: mask net-libs/nDPI and friends
>     
>     Bug: https://bugs.gentoo.org/719084
>     Signed-off-by: Aaron Bauman <bman@gentoo.org>
> 
>  profiles/package.mask | 8 ++++++++
>  1 file changed, 8 insertions(+)

# maintainer ignored w/irrelevant comment.

What irrelevant comment would that be? Is that really something you want to relay to a wider audience instead of inviting people to (supply patches to) fix software that is actually useful and used?

Regarding the bit before the "w/", I want to say that I do not have much time for complex problems these days for various personal reasons, and fixing various upstream compatibility issues makes resolving nDPI-3.2 stabilisation rather complex, indeed.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2020-06-17 04:54:21 UTC
(In reply to Jeroen Roovers from comment #5)
> (In reply to Larry the Git Cow from comment #4)
> > The bug has been referenced in the following commit(s):
> > 
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/
> > ?id=e26047940e7c08a5893799df90228a62b13eac57
> > 
> > commit e26047940e7c08a5893799df90228a62b13eac57
> > Author:     Aaron Bauman <bman@gentoo.org>
> > AuthorDate: 2020-06-12 03:48:36 +0000
> > Commit:     Aaron Bauman <bman@gentoo.org>
> > CommitDate: 2020-06-12 03:49:10 +0000
> > 
> >     profiles/package.mask: mask net-libs/nDPI and friends
> >     
> >     Bug: https://bugs.gentoo.org/719084
> >     Signed-off-by: Aaron Bauman <bman@gentoo.org>
> > 
> >  profiles/package.mask | 8 ++++++++
> >  1 file changed, 8 insertions(+)

# removal in 30 days. bug #719084

You also didn't announce the removal as a "last rites", it seems.
Comment 7 Larry the Git Cow gentoo-dev 2020-06-17 04:59:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c03f61f4f47219f18a44551cbc47531886ffc99b

commit c03f61f4f47219f18a44551cbc47531886ffc99b
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-06-17 04:59:18 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-06-17 04:59:39 +0000

    net-analyzer/pmacct: Update live ebuild
    
    Package-Manager: Portage-2.3.101, Repoman-2.3.22
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>
    Bug: https://bugs.gentoo.org/719084
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/pmacct/pmacct-999999.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a5d6411b0b856347c9a5ec72e162336fc16bb42

commit 8a5d6411b0b856347c9a5ec72e162336fc16bb42
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-06-17 04:56:22 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-06-17 04:59:39 +0000

    profiles/package.mask: Unmask net-libs/nDPI, ntopng, pmacct
    
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>
    Bug: https://bugs.gentoo.org/719084
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 profiles/package.mask | 8 --------
 1 file changed, 8 deletions(-)
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-06-17 15:36:35 UTC
(In reply to Jeroen Roovers from comment #5)
> (In reply to Larry the Git Cow from comment #4)
> > The bug has been referenced in the following commit(s):
> > 
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/
> > ?id=e26047940e7c08a5893799df90228a62b13eac57
> > 
> > commit e26047940e7c08a5893799df90228a62b13eac57
> > Author:     Aaron Bauman <bman@gentoo.org>
> > AuthorDate: 2020-06-12 03:48:36 +0000
> > Commit:     Aaron Bauman <bman@gentoo.org>
> > CommitDate: 2020-06-12 03:49:10 +0000
> > 
> >     profiles/package.mask: mask net-libs/nDPI and friends
> >     
> >     Bug: https://bugs.gentoo.org/719084
> >     Signed-off-by: Aaron Bauman <bman@gentoo.org>
> > 
> >  profiles/package.mask | 8 ++++++++
> >  1 file changed, 8 insertions(+)
> 
> # maintainer ignored w/irrelevant comment.
> 
> What irrelevant comment would that be? Is that really something you want to
> relay to a wider audience instead of inviting people to (supply patches to)
> fix software that is actually useful and used?
> 
> Regarding the bit before the "w/", I want to say that I do not have much
> time for complex problems these days for various personal reasons, and
> fixing various upstream compatibility issues makes resolving nDPI-3.2
> stabilisation rather complex, indeed.

So, just reply on the bug and request assistance. Others have linked to upstream patches and you simply replied with an issue regarding API's. That doesn't really explain anything to anyone. Not having time for a volunteer project is understandable.
Comment 9 Sam James archtester gentoo-dev Security 2020-06-17 21:11:06 UTC
So, I think where we're at now, is we need the original patches to be applied?
Comment 10 Sam James archtester gentoo-dev Security 2020-06-20 01:20:28 UTC
(In reply to Sam James (sec padawan) from comment #9)
> So, I think where we're at now, is we need the original patches to be
> applied?

ping.
Comment 11 Sam James archtester gentoo-dev Security 2020-06-27 20:11:48 UTC
(In reply to Sam James (sec padawan) from comment #10)
> (In reply to Sam James (sec padawan) from comment #9)
> > So, I think where we're at now, is we need the original patches to be
> > applied?
> 
> ping.

ping.

These are the only patches applied: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86334337401778e20e86773179e40c4a323fb34d

We need this: https://github.com/ntop/nDPI/commit/7ce478a58b4dd29a8d1e6f4e9df2f778613d9202.

If there's a problem or something I'm not seeing, please let us know and we can help. Otherwise please apply the patches ASAP.
Comment 12 Sam James archtester gentoo-dev Security 2020-06-27 20:31:30 UTC
(In reply to Sam James (sec padawan) from comment #11)
> (In reply to Sam James (sec padawan) from comment #10)
> > (In reply to Sam James (sec padawan) from comment #9)
> > > So, I think where we're at now, is we need the original patches to be
> > > applied?
> > 
> > ping.
> 
> ping.
> 
> These are the only patches applied:
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=86334337401778e20e86773179e40c4a323fb34d
> 
> We need this:
> https://github.com/ntop/nDPI/commit/7ce478a58b4dd29a8d1e6f4e9df2f778613d9202.
> 
> If there's a problem or something I'm not seeing, please let us know and we
> can help. Otherwise please apply the patches ASAP.

I think we need this, actually:
1) https://github.com/ntop/nDPI/commit/3bbb0cd3296023f6f922c71d21a1c374d2b0a435
2) https://github.com/ntop/nDPI/commit/7ce478a58b4dd29a8d1e6f4e9df2f778613d9202
3) https://github.com/ntop/nDPI/commit/a70fd6ed3b33d9e2c89fe35c96102c156d39f1f9
4) https://github.com/ntop/nDPI/commit/c120cca66272646c4277d71fa769d020b1026b28

but there's a large number of other memory-safety commits, so a snapshot may be more appropriate if the reverse dependencies still build.
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2020-06-28 07:27:00 UTC
(In reply to Sam James (sec padawan) from comment #12)
> I think we need this, actually:
> 1)
> https://github.com/ntop/nDPI/commit/3bbb0cd3296023f6f922c71d21a1c374d2b0a435
> 2)
> https://github.com/ntop/nDPI/commit/7ce478a58b4dd29a8d1e6f4e9df2f778613d9202
> 3)
> https://github.com/ntop/nDPI/commit/a70fd6ed3b33d9e2c89fe35c96102c156d39f1f9
> 4)
> https://github.com/ntop/nDPI/commit/c120cca66272646c4277d71fa769d020b1026b28

Where you looking at the dev branch or the 3.2-stable branch?

> but there's a large number of other memory-safety commits, so a snapshot may
> be more appropriate if the reverse dependencies still build.

Yes, it is starting to look like that, indeed.
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2020-06-28 07:29:58 UTC
(In reply to Aaron Bauman from comment #8)
> and you simply replied with an issue regarding API's.

Yes, upstream development has great trouble declaring stable APIs and doing their work in their stead cost me many hours. When you see mention of "issues with APIs" you should generally think "API breakage" and fear the worst.
Comment 15 John Helmert III (ajak) 2020-07-13 17:47:37 UTC
Can we get a mask on this? I quite dislike a situation where a user runs a software vulnerable to RCE without knowing it.
Comment 16 Sam James archtester gentoo-dev Security 2020-07-18 23:11:13 UTC
(In reply to Jeroen Roovers from comment #13)
> (In reply to Sam James (sec padawan) from comment #12)
> > I think we need this, actually:
> > 1)
> > https://github.com/ntop/nDPI/commit/3bbb0cd3296023f6f922c71d21a1c374d2b0a435
> > 2)
> > https://github.com/ntop/nDPI/commit/7ce478a58b4dd29a8d1e6f4e9df2f778613d9202
> > 3)
> > https://github.com/ntop/nDPI/commit/a70fd6ed3b33d9e2c89fe35c96102c156d39f1f9
> > 4)
> > https://github.com/ntop/nDPI/commit/c120cca66272646c4277d71fa769d020b1026b28
> 
> Where you looking at the dev branch or the 3.2-stable branch?
> 

Sorry, yes, it's from dev. Bleh.

(In reply to John Helmert III (ajak) from comment #15)
> Can we get a mask on this? I quite dislike a situation where a user runs a
> software vulnerable to RCE without knowing it.

I'm going to do this unless there's a good reason not to. It's not with a view to removal, but I think it's fair so users can be aware of the risk.

With regard to what you should do, Jer, I don't have any great suggestions here. This is a horrible situation because of the breakages on the reverse dependencies with so many of upstream's changes, so a snapshot isn't feasible. :/

So, my inclination is: mask + wait.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2020-07-18 23:15:40 UTC
CVE-2020-15476 (https://nvd.nist.gov/vuln/detail/CVE-2020-15476):
  In nDPI through 3.2, the Oracle protocol dissector has a heap-based buffer
  over-read in ndpi_search_oracle in lib/protocols/oracle.c.

CVE-2020-15475 (https://nvd.nist.gov/vuln/detail/CVE-2020-15475):
  In nDPI through 3.2, ndpi_reset_packet_line_info in lib/ndpi_main.c omits
  certain reinitialization, leading to a use-after-free.

CVE-2020-15474 (https://nvd.nist.gov/vuln/detail/CVE-2020-15474):
  In nDPI through 3.2, there is a stack overflow in extractRDNSequence in
  lib/protocols/tls.c.

CVE-2020-15473 (https://nvd.nist.gov/vuln/detail/CVE-2020-15473):
  In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-based
  buffer over-read in ndpi_search_openvpn in lib/protocols/openvpn.c.

CVE-2020-15472 (https://nvd.nist.gov/vuln/detail/CVE-2020-15472):
  In nDPI through 3.2, the H.323 dissector is vulnerable to a heap-based
  buffer over-read in ndpi_search_h323 in lib/protocols/h323.c, as
  demonstrated by a payload packet length that is too short.

CVE-2020-15471 (https://nvd.nist.gov/vuln/detail/CVE-2020-15471):
  In nDPI through 3.2, the packet parsing code is vulnerable to a heap-based
  buffer over-read in ndpi_parse_packet_line_info in lib/ndpi_main.c.
Comment 18 Larry the Git Cow gentoo-dev 2020-07-20 21:54:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ac40f1280724fe6d38d3fdb53539a91975cfd23

commit 4ac40f1280724fe6d38d3fdb53539a91975cfd23
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-20 21:51:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-20 21:51:49 +0000

    profiles/package.mask: security mask net-libs/nDPI (+ reverse deps)
    
    Mask net-libs/nDPI and its reverse dependencies (ntopng, pmacct)
    unless / until a sustainable fix is found for the multiple
    serious vulnerabilities reported in nDPI.
    
    Upstream have an unstable API which often breaks reverse
    deps, making applying patches an unworkable solution for now.
    
    There is no fixed release upstream, nor is there a clear
    timeline for one being published.
    
    This bug has been open for a significant amount of time,
    and this mask is not with a view to removal, but to
    ensure users are aware of the risks of using this package.
    
    Bug: https://bugs.gentoo.org/719084
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
Comment 19 Jeroen Roovers (RETIRED) gentoo-dev 2020-07-22 06:15:25 UTC
(In reply to Larry the Git Cow from comment #18)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=4ac40f1280724fe6d38d3fdb53539a91975cfd23
> 
> commit 4ac40f1280724fe6d38d3fdb53539a91975cfd23
> Author:     Sam James <sam@gentoo.org>
> AuthorDate: 2020-07-20 21:51:49 +0000
> Commit:     Sam James <sam@gentoo.org>
> CommitDate: 2020-07-20 21:51:49 +0000
> 
>     profiles/package.mask: security mask net-libs/nDPI (+ reverse deps)
>     
>     Mask net-libs/nDPI and its reverse dependencies (ntopng, pmacct)
>     unless / until a sustainable fix is found for the multiple
>     serious vulnerabilities reported in nDPI.
>     
>     Upstream have an unstable API which often breaks reverse
>     deps, making applying patches an unworkable solution for now.
>     
>     There is no fixed release upstream, nor is there a clear
>     timeline for one being published.
>     
>     This bug has been open for a significant amount of time,
>     and this mask is not with a view to removal, but to
>     ensure users are aware of the risks of using this package.
>     
>     Bug: https://bugs.gentoo.org/719084
>     Signed-off-by: Sam James <sam@gentoo.org>
> 
>  profiles/package.mask | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)

Why did you mask pmacct? Its nDPI dependency is optional.
Comment 20 Jeroen Roovers (RETIRED) gentoo-dev 2020-07-22 07:16:38 UTC
(In reply to Sam James from comment #16)
> (In reply to Jeroen Roovers from comment #13)
> > (In reply to Sam James (sec padawan) from comment #12)
> > > I think we need this, actually:
> > > 1)
> > > https://github.com/ntop/nDPI/commit/3bbb0cd3296023f6f922c71d21a1c374d2b0a435
> > > 2)
> > > https://github.com/ntop/nDPI/commit/7ce478a58b4dd29a8d1e6f4e9df2f778613d9202
> > > 3)
> > > https://github.com/ntop/nDPI/commit/a70fd6ed3b33d9e2c89fe35c96102c156d39f1f9
> > > 4)
> > > https://github.com/ntop/nDPI/commit/c120cca66272646c4277d71fa769d020b1026b28
> > 
> > Where you looking at the dev branch or the 3.2-stable branch?
> > 
> 
> Sorry, yes, it's from dev. Bleh.

I added those in 3.2-r1 but you seem to have ignored that in your review. I still don't see any correlation between the eight(!) CVEs and any commits or releases that purport to fix those.

> With regard to what you should do, Jer, I don't have any great suggestions
> here. This is a horrible situation because of the breakages on the reverse
> dependencies with so many of upstream's changes, so a snapshot isn't
> feasible. :/

It isn't feasible? You say this after 3.2-r1 was committed. Not sure whether that should have been expressly mentioned here or whether it should be regarded as due diligence to check commits relevant to bug reports before masking packages.
Comment 21 Larry the Git Cow gentoo-dev 2020-07-22 07:22:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c02681fcb7839ac1829ec09394334ddbca1b0aea

commit c02681fcb7839ac1829ec09394334ddbca1b0aea
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-07-22 07:21:32 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-07-22 07:22:17 +0000

    net-libs/nDPI: Add fix for oob in kerberos dissector
    
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Bug: https://bugs.gentoo.org/719084
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 ...PI-3.2-0005-Fix-oob-in-kerberos-dissector.patch | 23 ++++++++
 net-libs/nDPI/nDPI-3.2-r2.ebuild                   | 65 ++++++++++++++++++++++
 2 files changed, 88 insertions(+)
Comment 22 Larry the Git Cow gentoo-dev 2020-11-05 14:08:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=75f0ee948825fc1dd8060a4480a0dd5872424313

commit 75f0ee948825fc1dd8060a4480a0dd5872424313
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-11-04 07:09:03 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-11-05 14:08:01 +0000

    net-libs/nDPI: bump to 3.4
    
    Bug: https://bugs.gentoo.org/719084
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/nDPI/Manifest                             |  1 +
 .../nDPI-3.4-fix-oob-in-kerberos-dissector.patch   | 16 ++++++
 net-libs/nDPI/nDPI-3.4.ebuild                      | 63 ++++++++++++++++++++++
 3 files changed, 80 insertions(+)